LogRhythm makes quick work of digging through system logs

Most network administrators will tell you the worst part of their job, with the possible exception of taking physical inventory (shudder!), is digging through system logs. This usually only happens when something goes wrong, so the network administrator often has a great deal of pressure to find what happened when and then fix the problem as soon as possible.

To top it off, being fluent in all the different log file formats is next to impossible for most human beings. A network appliance that specifically gathers and analyzes all of the log files in your system would really come in handy in this situation.

LogRhythm 5.1 is a quite extensive log management, analysis and event management solution for pretty much any size of network. It gets the log data from every computer and other device on your network and analyzes them once they are all in one place. Once this is done, a network administrator can look at activity through a single user interface and can find out things that would take hours to discover by looking at the various raw log files themselves.

The reason LogRhythm can do this quickly is that the developers broke it down into a few key components, each of which can be run on separate computers if the need warrants it.

The Log Manager is the device that actually gathers the log data from the computers and determines whether a particular log message needs to be sent to the next level. If so, the Event Manager acts on the particular log message, depending on what rules have been set up. The Console is the user interface that shows the accumulated events and allows the network administrator to investigate and make rule changes.

LogRhythm comes in a variety of implementations. The one we looked at was a single, 2U rackmountable appliance that contained all three components. Larger implementations might have the Log Manager and Event Manager on separate machines, or even have multiple Log Managers responsible for different parts of the network.

Connecting the appliance to the network was not difficult, although learning what functions the console program was capable of took some time. The Log Manager’s ability to automatically find devices on our network impressed us greatly.

Once the logs were all gathered, the user interface displayed a dashboard view of recent log messages and events. Pretty much anything we clicked on in this view brought up a more detailed list of log messages. We were able to sort or filter this list by any of the fields simply by clicking the column header and selecting what we wanted to do.

Of course, LogRhythm will automatically find and collect log data from pretty much every platform out there and had no problem finding all of the computers on our test network. However, LogRhythm also provides an Agent that can be installed on a network server. The Agent collects that computer’s log data and sends it to the Log Manager.

This has a couple of benefits. First, it reduces the resource load on the Log Manager, since that is one fewer machine whose logs need collecting. Second, the single, periodic transmission of the log bundle requires only one open channel, as opposed to the three that would be typically used in the constant back-and-forth between the Log Manager and that computer. So, although the Agent isn’t necessary for LogRhythm to function, it could be desired in more secure setups.

One of the things LogRhythm impressed us with was its efforts to meet the validation requirements in the Federal Information Processing Standards. LogRhythm has ensured that the communication between each of its component systems, as well as between the Agent software and the Log Manager, can be configured to operate using all FIPS-validated crypto algorithms. Since this can be a tricky process, LogRhythm offers instructions on how to set up its products in a FIPS-validated mode, which should make it a bit easier to comply with government mandates.

The one possible weak point of the LogRhythm 5.1 is its price. For the single-appliance solution we had in the lab, LogRhythm has set the price at $25,000. We felt this might be a bit higher than many organizations would want to pay, but considering the literally hundreds of hours of log mining it could save, it is not an unreasonable price.

LogRhythm also offers other implementations, such as software that you install on your own servers, so there should be a pricing level that most network administrators can live with.